Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvlist functionality

javiles1960
Explorer
‎03-27-2014 02:29 PM

My search (1)

transaction PG SessionID mvlist=SessionEventNet nullstr=0|eventstats sum(SessionEventNet) as SessionNet

works great, my search (2)

transaction PG SessionID mvlist=PN nullstr=0|eventstats sum(PN) as CashIn

works great as well, my search (3)

transaction PG SessionID mvlist=SessionEventNet PN nullstr=0|eventstats sum(SessionEventNet) as SessionNet sum(PN) as CashIn

does not produce the desired results on CashIn, only on SessionEventNet
Anyone???

Tags (2)
Reply

AlekseiVasiliev
Explorer
‎01-15-2019 05:50 AM

You should use quotes:

mvlist="SessionEventNet PN"
Reply

javiles1960
Explorer
‎03-28-2014 02:21 PM

Here is how I solved it:

transaction PG SessionID mvlist=(t SessionEventNet PN) nullstr=0|eventstats sum(SessionEventNet) as SessionNet sum(PN) as CashIn

Reply

javiles1960
Explorer
‎03-27-2014 03:31 PM

already tried it. The default delim=" ", can be changed to delim="," however I think I tried both ways.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-27-2014 03:11 PM

The doc says mvlist takes a comma-separated list of fields, so try this:

transaction PG SessionID mvlist=SessionEventNet,PN nullstr=0|eventstats sum(SessionEventNet) as SessionNet sum(PN) as CashIn

http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction

0 Karma
Reply

kenkenou
Explorer
‎12-13-2016 04:46 PM

Did you try mvlist=(actionName,event_time*)* ?

Add () to the fileds.May be it works.

0 Karma
Reply

gt_dev
Explorer
‎12-13-2016 01:25 PM

I am still not able to get 2 fields in the mvlist list. Here is my transaction line now:

| transaction visitID mvlist=actionName

i get a nice set of values that groups actions by visitID. However, if i change the above line to:

| transaction visitID mvlist=actionName,event_time

I get a totally different result set that doesn't look anything like the way i want it. Below is my full query:

source="/var/log/logstash/dynatraceqa*" businessTransaction="Real User Page Actions - Copy"
| transaction visitID mvlist=actionName
| table  application, visitID,  event_time, actionName, eventcount
| sort event_time
| addtotals row=f col=t fieldname=Total labelfield=actionName eventcount
| rename event_time as "Start Time", application as "Application", visitID as "Visit ID", actionName as "User Action". eventcount as "Action Count"
0 Karma
Reply

ppablo
Retired
‎12-13-2016 01:30 PM

Hi @gt_dev

This question is over 2 years old. I'd suggest asking your own question instead of trying to get help on an old thread.

0 Karma
Reply

gt_dev
Explorer
‎12-14-2016 04:40 AM

good idea

0 Karma
Reply

javiles1960
Explorer
‎03-27-2014 03:32 PM

already tried it. The default delim=" ", can be changed to delim="," however I think I tried both ways.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...